I guess in retrospect, fingerprints aren't the best idea for biometrics on a phone since the prints themselves are left on the device with typical use. So basically, steal the phone and you have the print. I wonder if they could have you image your knuckles or something like that instead.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued the hack has little significance in the real world.

People saying this also have to remember that this technique was developed less than 48 hours after they got their hands on the device -- I'm sure there will be easier hacks out there soon enough.

Quote:

As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple's decision not to provide the option is a missed opportunity.

Hopefully an Android handset maker implements a Touch ID equivalent, doesn't get sued by Apple, and a custom lock screen can be added into a custom ROM -- cyanogenmod et al. -- to do just this.

I guess in retrospect, fingerprints aren't the best idea for biometrics on a phone since the prints themselves are left on the device with typical use. So basically, steal the phone and you have the print. I wonder if they could have you image your knuckles or something like that instead.

There isn't even any retrospect. This is obvious. It is like the picture password on Win8 devices. It doesn't make sense because once you have the device you have the print.

The author's suggestion is a very good one as most people won't use anything other than a thumb or a forefinger to press the home button aside from unlocking it.

The long and the short of it really is to not lose control of your device. Physical compromise is almost a guarantee that your information will be disclosed.

Another tip is to validate prints only from the left fingers if you're right-handed or vice versa. If you always open doors or drink using the right hand, you'll hardly ever donate your usable print info to anyone.

How about using only the tip of your thumb? Also not frequently left on a beer glass?For me, I think the convenience still outweighs the risks (assuming I can get my claws on an actual 5s).

If you touch the screen you are going to leave a print, doesn't matter if its the fingertip, thumb tip, toe print, nose print, ear print, genital print....

They are lifting what ever the print is from the screen, duplicating that print, then using it to get into the phone. So if, for example, someone steals the phone and is able to lift and duplicate the print they will still be able to get into the phone.

It amazes me that Touch ID was not implemented along side of a two factor system on the debut. Apple has a very well thought out UI with a lot of features that have stood the test of time and considering their market penetration, having thoughtful security should be at the top of their priorities now.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try."

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

On the other hand, they can unlock your phone using TouchID without ever looking over your shoulder or figuring out your password. Your fingerprint is likely all over the screen, so if they want in, they just swipe your device immediately and go to work.

God, recommending using an inconvenient finger for unlocking is a really ugly workaround...

What I would like Apple to do: Add a configurable timeout for TouchID after which it requires a PIN:

Immediately5 minutes15 minutes1 hour2 hours6 hours

Make it default to 1 hour.

This would mean that

a) whatever you set it to you'd need to type your PIN at least once a day (in the morning, if you sleep more than 6 hours) which at least means you will remember it. The current timeout of 48 hours (or a reboot of the phone) basically means that most people will have forgotten their PIN when they need it.

b) the default of one hour would mean that a thief would need to be really fast with nicking your device and faking a finger.

c) if you REALLY need security set the timeout to "Immediately" and presto, you have two-factor authentication.

If Apple would have done that right away nobody would have to complain about all of this.

TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).

In all honesty, the notion that this was going to be particularly secure never should have been forwarded - it's a secondary convenience feature that keeps the honest people out of your phone (much like the function the door locks on most private dwelling do for its security). One can hope that Apple put enough thought into the design that the fingerprints left on the button time after time don't trigger it...

Purpose-built biometric scanners costing more than the (unsubsidised) price of this phone can be defeated with access to prints, irises, blood vessel patterns on the back of your hand, etc. Even those that purport to detect live fingers, hands, whatnot have been defeated. There's no magic bullet factor of security - biometrics would ideally simply become part of the authentication. I've often heard it said that the ideal authentication scheme consists of something you know, something you have, and something you are - ie a password, a token, and a biometric.

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

I took Apple's statement to mean it unlocks easier over time since it's seen more of your finger with each use. I think the hack would get easier over time, not harder.

If I have sufficient access to take a high res picture of someone's fingerprint and duplicate it, then I have sufficient access to record that person entering their PIN with a buttoncam, camera in the frame of my eyeglasses, or even just holding up my camera and seemingly recording a video of a party while I'm actually capturing someone unlocking their phone.

Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.

Given Apple's long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.

I bet this will be available on Cydia shortly after the jailbreak for the 5s is discovered. Hopefully Apple can be brought around to adding it to the phone as well, it seems like it should be pretty easy to implement.

I amazes me that a half baked, incomplete video is taken at face value and everything that Apple and Authentec has published is trashed as a lie.

Granted, someone will likely find a workable hack around the fingerprint reader in the iPhone 5S, but I simply don't believe that what these guys in Germany did (just a more complicated form of fingerprint lifting) is all it takes to circumvent the sub epidemal, 3D capacitive topology mapping technology of the Authentec sensor.

This type of hack would surely have been among the FIRST things that Apple would have attempted as part of their technical due diligence prior to purchasing Authentec.

Until a COMPLETE video, with absolute timeline integrity, starting with an iPhone devoid of ALL fingerprint training, that documents the ENTIRE process AND the process is replicated by numerous others using the same process, this is nothing more than an attempt to claim a prize, NOT defeat Touch ID.

Apple is NOT infallible, but they are far from stupid and they have hundreds of millions invested in this technology as well as their reputation on the line, so I call BS on this purported hack until it is absolutely proven.

I think I can safely predict a new Apple product on the horizon: the iThumb prophylactic. You use it when you don't want to leave your thumbprint around. You use the handy patented flip clip to quickly plant your print on the home button.

I'm curious as to the source for the claim that "it seems unlikely that this option will ever be available".

Yes, I can tell that this option isn't there now, but I, for one, think it'll be in an update to iOS 7 shortly: ability to require both fingerprint and password. It seems like low-hanging fruit.

Passwords and fingerprints are equivalent: if you share them with someone then they can use them. Sure, fingerprints are "easy" to share (accidentally), so it seems obvious that the system has a built-in flaw. As many have said, it's almost impossible to keep your retina or fingerprint truly "secret" (when I got my green card, they took all my fingerprints, so the government could easily use this method to access my phone (if I had a 5s)).

I don't understand the "surprise" here. Lifting fingerprints and generating a "fake" finger is not new, why is anyone surprised that it works?

Author, the sky is not falling. The sort of hack over the weekend required physical access to the phone and the phone's fingerprint-registered owner himself. He was complicit. That's a bit much. If I lose my phone at Disneyland and return home 1,000 away, will this hack work?

TouchID is a convenience feature, no more, no less. It's much better than not having a PIN and much more convenient than a PIN (or even a complex password). Apple should have marked it as this by choosing defaults wisely and allowing an option to turn it into a security feature (by using it for two-factor authentication without a timeout).

I think for the average Joe TouchID is good enough. My brother has a passcode on his phone, because he doesn't trust that the people he hangs out with aren't going to grab his phone and post fake messages to Facebook, etc. Nobody is going to go through the trouble lifting prints and generating a fake finger so they can get onto a friend's phone to snoop around or pull pranks.

The only people who might have a reason to be worried would be the sort of people in occupations where they have lots of confidential information and contacts stored on the phone, which I suspect is actually the minority of iPhone 5s owners.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

Apple fudged the marketing and implementation of the fingerprint reader. I think it's fair to complain at this point, especially with solid evidence in hand of what everyone who knew anything about fingerprint scanning tech already suspected: that for all they dressed it up, this was not substantially better than any of the other easily beaten consumer grade fingerprint tech.

If they hadn't sold it as some amazing and perfectly secure thing (Apple really played it up quite a bit), there would have simply been statements of "well of course it's hackable, but it's better than swipe to unlock at least, and the newer tech at least makes it more difficult to hack than just using a piece of tape" and it would have been left at that.

Apple shot their own foot on this one, honestly. They were practically ASKING for someone to demonstrate a hack and in turn to have a big deal made of it. Especially by not having 2 factor as an always available option (or even via time-out as suggested above).

There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all.

A false sense of security may cause people to be more lax about their security, which may make things worse.

More pertinently, I think, why would someone too lazy to use a PIN bother with swiping their fingers?

The bald fact of the matter is that a lot of people just don't get why we should maximize security. One of my coworkers straight up said "If someone wants in my phone, they'll just get in anyway"; I've seen that basic sentiment from pretty much every walk of life, including geeks who have a better than average understanding of the situation. It rather baffles me.

Also, it annoys me; I know at least one person has had their device stolen, and I ended up on mailing lists and shit because I was on the contact list. Now it's stopped being their problem, and become mine.

The author does not give Apple sufficient credit when implying they would not be interested in making two-factor authentication an option. They did with iCloud. IF this proves to be a problem with people getting hacked, you can bet they will implement it. It would be a minor tweak to the Touch ID API.

Lots of people have pointed out the critically flawed video to begin with. The media for the fingerprint is transparent. How do we know it wasn't actually reading through the media and getting an actual fingerprint of the hacker? I think more scrutiny is justified before declaring this a "decisive" defeat of Touch ID.

A lot of this hand-wringing and hysterical headline writing is a bit premature and will only become a legitimate concern if someone comes up with a way to hack a phone in less time than a person takes to figure their phone is missing and wiping it. And anyone who can wipe it using the tools in iCloud who has a tiny bit of savvy is going to have already set up the two-factor security setup for unbricking a bricked phone in this process.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued the hack has little significance in the real world.

People saying this also have to remember that this technique was developed less than 48 hours after they got their hands on the device -- I'm sure there will be easier hacks out there soon enough.

Its inaccurate to imply this hack method was developed in 48 hours, this approach to spoofing fingerprint readers has been around a long time. It just took 48 hours for someone to make a video of using it on an iPhone 5S.

I want to see this "hack" verified by another party. If successful then it means that capacitive sensors differ from optical sensors in that they simply require a 3D replication of the fingerprint. However, its hard to imagine that you could properly create a 3D replica of a fingerprint from a 2D smudge left on glass unless the sensor is not sensitive enough to the microscopic distance between hills and valleys on your fingerprints.

The other thing I want to know is "how long" it takes to produce the 3D replica of the fingerprint. If it takes more than 48 hours, then Touch ID's automatic deactivation will prevent access without a password after 48 hours. If Apple let me control how long that timeout was then I would feel even better. For me, I would set it closer to 12 hours.

Also, keep in mind that there is still Find My iPhone on the device. Certainly, a thief could steal the device but if they shut it down to prevent remote wiping then rebooting would cause Touch ID to require a password again. So unless you are dumb enough to enable Control Center on lock screen and give the thief access to Airplane Mode, then the thief had better bring something to shield the device from radio signals while they are working on removing your fingerprints from it.

It certainly seems like a whole lot of hoops to go through and not nearly as easy as Graham implies in this article. It also seems like a couple of steps like allowing users to configure their Touch ID timeout or even requiring a simple "second factor" like proximity and connection to another device like an iWatch would easily take Touch ID to the level it needs to be for corporate security.

"Having a passcode is a mandatory Touch ID requirement. You can’t choose to only use Touch ID to unlock your device. In the event that your fingerprint isn’t recognized, you can always manually type in your passcode."

"If you’ve restarted your phone, you need to manually type in your passcode once before you can use Touch ID. If you haven’t unlocked your phone in 48 hours, you’ll need to supply your passcode before Touch ID is an option. Repeated failed attempts (5) to access your 5s via Touch ID will force you to enter a passcode as well."